Kimwolf Botnet Targeting Android TV Devices Worldwide

Verticals Targeted: Consumer Electronics, Residential Networks
Regions Targeted: Brazil, India, United States, Vietnam, Saudi Arabia, Russia, Argentina, South Africa, Philippines, Mexico, Thailand, Indonesia, Morocco, Turkey, Iraq, Pakistan, China
Related Families: Aisuru

Executive Summary

Security researchers have detailed the Kimwolf botnet, a massive Android-based network exceeding 1.8 million infected devices, primarily TV boxes, enabling DDoS attacks, proxy services, and other malicious activities through exploitation of residential proxy networks and device vulnerabilities. This threat demonstrates rapid growth and resilience, leveraging advanced evasion techniques to maintain control and monetize infections.

Key Takeaways

• Kimwolf has infected over two million devices globally, focusing on Android TV boxes with enabled Android Debug Bridge, allowing unauthenticated access and rapid propagation via proxy tunneling.
• Kimwolf operators exploit residential proxy services like IPIDEA to tunnel into local networks, dropping payloads that establish persistence and enable DDoS capabilities up to 30Tbps.
• The botnet incorporates DNS over TLS for evasion, elliptic curve signatures for C2 authentication, and EtherHiding via Ethereum Name Service domains to resist takedowns.
• Monetization occurs through proxy bandwidth sales, app installs, and DDoS services, with links to the Aisuru botnet indicating shared infrastructure and operators.

What is Kimwolf?

Industry researchers exposed the Kimwolf botnet, which has compromised more than two million Android devices worldwide, with infections heavily concentrated in residential settings across Brazil, India, the United States, and other nations. Krebs on Security recently spotlighted the Kimwolf botnet. Qianxin’s XLab published an analysis of Kimwolf, and Synthient Research provided information on an updated Kimwolf payload. 

Compiled using the Android Native Development Kit, Kimwolf integrates DDoS functionalities alongside proxy forwarding, reverse shells, and file management, employing stack XOR encryption for sensitive data and DNS over TLS to bypass detection. Its command-and-control authentication relies on elliptic curve digital signatures, ensuring only verified communications proceed, while recent upgrades incorporate EtherHiding with Ethereum Name Service domains for enhanced resilience against infrastructure disruptions.

The botnet's propagation exploits vulnerabilities in residential proxy networks, such as inadequate restrictions on internal address access, allowing attackers to tunnel through endpoints and target devices with exposed Android Debug Bridge on port 5555. Synthient identified that two-thirds of infections involve unauthenticated Android TV boxes, often pre-loaded with proxy malware or requiring unofficial apps for pirated content streaming. These devices, sold under various no-name brands on major e-commerce platforms, arrive with factory-enabled debug modes, facilitating remote configuration and malware deployment. XLab's takeover of a C2 domain revealed peak daily active IPs nearing 1.83 million, underscoring the challenge of accurate sizing due to dynamic IP allocation and global time zone distributions.

Kimwolf's operators have demonstrated aggressive tactics, issuing 1.7 billion DDoS commands over three days in November 2025, targeting IPs indiscriminately and participating in attacks reaching 30Tbps. Horizontal comparisons with Aisuru, which shares code, APKs, and infrastructure, suggest a common threat group repurposing elements for improved stealth on Android platforms. Evidence includes identical signing certificates, reused reporters like "tiananmeng," and downloader scripts linking both families. Additional components, such as a Rust-based command client for proxying and the ByteConnect SDK for revenue generation, maximize exploitation, potentially yielding tens of thousands in monthly profits from bandwidth sales.

This threat erodes assumptions of local network security, as compromised mobile devices or guest connections can expose internal systems. Proxy providers have responded with mitigations, such as blocking internal DNS resolutions and high-risk ports, but the botnet's rebuild speed, regaining two million nodes in days, highlights ongoing risks. Collaborative takedowns have disrupted operations multiple times, forcing tactical evolutions, but sustained intelligence sharing is essential to counter this evolving threat. 

IOCs

PolySwarm has multiple samples of Kimwolf.

5d20d2942d39c79e971bac7de90de11b23308195b0ea06d4009fc561c6da7199

84cf4aac1e063394be3be68fea3cb9526e567c0aeaaf39b4834411970c00921e

06edf74e08b8362c4c9f7c4df060e4637f102d05f92c5b34102c8fd61aaee502

77366b3b2dc016fea0f8461a1cb06e089b9186059a73d67e6ba28d088c06431d

5a9aa70db6a015ffc1b5973c5315c4f18550c44e914d81581a135fd804995f53

7e1936aa8a9baaac0e712d7493e4f175c7382bfd4bd57bba027263fc272dfbbf

54c478b499829a41f57edf93753b9842ab67dc13cff2cc1326ad7ced2f3dc0b9

421111a57b0a4224c052fa4108d90429d579974b5b5111ed2e58516ba09422ca

90e3b997161e33c6485b48182073a864dd3d0775ab96cadbf1b7c9dd4821c6d1

9c531d10f5027968464b5aa251adad4a54a77be1774c507c73e501c202fa258b

c26babed19fd2a77d9232d358c34f261dce288de6a04540bdd02cfb4f137639d

868636305b532ac4d29227ac947c0fbcd02fbda84cc526cf0549e5a8a1ccd834

f3eb74db6f759cf468f41eb1184216c2386942b9aaf18ae91eb24bbeeafab3a2

327c1180e38bf0c9de23dcc3620f722343c7e944adc40852015436e546340bd6

eb477eba5f96b8340b7ee8d364cf9ceb7c804075837aba4c52c96d6e3ddfe62e

0d95eb2c0ca2b2c9e464f2acbc5739082485b8dcbce7dde8383203151197b3b3

0a1e1ae2f89aa93805cc416e779613481cef6dfc41edd7d12892d2bf96bfa9e7

Click here to view all samples of Kimwolf in our PolySwarm portal.

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.